News: This forum is now permanently frozen.
Pages: [1] 2
Topic: IPSec Site to Site - Disconnects  (Read 12779 times)
« on: December 01, 2009, 20:22:49 »
guep *
Posts: 9

I have three sites connected with m0nowall ( now with Ver. 1.3).


All three sites use dynamic IP adresses and DynDNS
After applying the VPN-IPSec setting, the tunnel goes up and works fine.
But sometimes after 1-2 days no traffic is possible at the tunnel.
The IP-adress does not change and in the log there is no error.

The same failing is sometimes after an disconect (new IP`s).
But in this case the log has the following entry:

racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.119.xx.xx[500]->84.119.xx.xxx[500]
Dec 1 15:57:52    racoon: INFO: begin Identity Protection mode.
Dec 1 15:57:52    racoon: INFO: initiate new phase 1 negotiation: 84.119.xx.xxx[500]<=>84.119.xx.xxx[500]
Dec 1 15:57:52    racoon: INFO: IPsec-SA request for 84.119.xx.xxx queued due to no phase1 found.
Dec 1 15:57:39    racoon: INFO: delete phase 2 handler.
Dec 1 15:57:39    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.119.xx.xxx[500]->84.119.xx.xxx[500]
Dec 1 15:57:36    racoon: ERROR: phase1 negotiation failed due to time up. 6ab950fdada74502:0000000000000000


After pressing the "save"-button in IPSec-configuration the tunnel works again.
Are there any problems with "DPD" and "IPsec DNS check interval" on the m0n0wall-software or is a mistake in my configuration.

- <ipsec>
  <dns-interval>30</dns-interval>
- <tunnel>
  <dpddelay>30</dpddelay>
  <interface>wan</interface>
- <local-subnet>
  <network>lan</network>
  </local-subnet>
  <remote-subnet>192.168.xxx.0/24</remote-subnet>
  <remote-gateway>xxxxxxx.dyndns.org</remote-gateway>
- <p1>
  <mode>main</mode>
- <myident>
  <address>192.168.xxx.1</address>
  </myident>
  <encryption-algorithm>3des</encryption-algorithm>
  <hash-algorithm>md5</hash-algorithm>
  <dhgroup>2</dhgroup>
  <lifetime>28800</lifetime>
  <pre-shared-key>XXXXXXXX</pre-shared-key>
  <private-key />
  <cert />
  <peercert />
  <authentication_method>pre_shared_key</authentication_method>
  </p1>
- <p2>
  <protocol>esp</protocol>
  <encryption-algorithm-option>blowfish</encryption-algorithm-option>
  <hash-algorithm-option>hmac_md5</hash-algorithm-option>
  <pfsgroup>2</pfsgroup>
  <lifetime>86400</lifetime>
  </p2>
  <descr>xxx</descr>
  </tunnel>
  <enable />
  </ipsec>

greets
Günter
« Reply #1 on: January 22, 2010, 18:52:10 »
guep *
Posts: 9

Unfortunately, I still have the same problems.
Since the update to Ver.1.3, the problems after an ISP-disconnect (because of new IP) do not happens anymore, but the connection always breaks after a while again.
In my opinion, this always happens after the preset lifetime.

Here's my log:

Jan 22 17:18:56    racoon: INFO: ISAKMP-SA deleted 84.xxx.xx.xxx[500]-84.xxx.xx.xxx[500] spi:xxxxxxxxxxxx:d047907d9bc04f3b
Jan 22 17:18:55    racoon: INFO: ISAKMP-SA expired 84.xxx.xx.xxx[500]-84.xxx.xxx.xxx[500] spi:xxxxxxxxxxxxxx:d047907d9bc04f3b
Jan 22 09:18:56    racoon: INFO: IPsec-SA established: ESP/Tunnel 84.xxx.xx.xxx[500]->84.xxx.xx.xxx[500] spi=xxxxxxxx(0xa13d1d9)
Jan 22 09:18:56    racoon: INFO: IPsec-SA established: ESP/Tunnel 84.xxx.xx.xxx[0]->84.xxx.xx.xxx[0] spi=xxxxxxxxx(0xc248826)
Jan 22 09:18:56    racoon: INFO: initiate new phase 2 negotiation: 84.xxx.xx.xx[500]<=>84.xx.xx.xxx[500]
Jan 22 09:18:55    racoon: INFO: purging spi=xxxxxxxx.

In the log you can see, the ISAKMP-SA should be deleted, but it does not .
I must clean  the connection by hand. After that, the connection established in seconds.



There are remedies for this problem?
« Reply #2 on: January 23, 2010, 05:17:00 »
rpsmith ***
Posts: 113

I believe the Phase 1 life time should be larger than the Phase 2 life time.  I use 172800 for P1 and 86400 for P2.  Give that a try and see if it helps.  Also, unless you have a requirement to run 3DES, I would suggest you use AES and Rijndael (AES) instead.

Roy...
« Last Edit: January 23, 2010, 05:21:50 by rpsmith »
« Reply #3 on: January 23, 2010, 12:52:55 »
guep *
Posts: 9

Thanks for this information. I will observe it.
Hope this solution works well.
Why do you think, i should use AES instead 3DES. Is it a security issue?

And is it better do use certifikates instaed Pre-shared keys?

regards
Günter
« Reply #4 on: January 23, 2010, 19:49:47 »
rpsmith ***
Posts: 113

AES is the new standard and is more secure.  I always use AES if both ends support it.  PSK are fine just use a long one.  I generate mine from here:  https://www.grc.com/passwords.htm

Roy...
« Last Edit: January 23, 2010, 19:51:26 by rpsmith »
« Reply #5 on: January 24, 2010, 20:53:40 »
guep *
Posts: 9

My problem with the VPN connection takes me crazy.

I changed the P1 and P2 livetime.

But today i tryed to reboot my m0n0wall. After the restart ( with new IP) the VPN connection
could not reestablished.

Log:
Jan 24 20:09:56    racoon: INFO: initiate new phase 1 negotiation: 84.119.xx.xxx[500]<=>84.119.xx.xxx[500]
Jan 24 20:09:56    racoon: INFO: IPsec-SA request for 84.119.xx.xxx queued due to no phase1 found.
Jan 24 20:09:40    racoon: INFO: delete phase 2 handler.
Jan 24 20:09:40    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.119.xx.xxx[500]->84.119.xx.xxx[500]
Jan 24 20:09:35    racoon: ERROR: phase1 negotiation failed due to time up. xxxxxxxxxxxxxx:0000000000000000
Jan 24 20:09:33    racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 24 20:09:10    racoon: INFO: phase2 sa deleted 84.119.xx.xxx-84.119.xx.xxx
Jan 24 20:09:09    racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 24 20:09:09    racoon: INFO: phase2 sa expired 84.119.xx.xxx-84.119.xx.xxx
Jan 24 20:08:52    racoon: INFO: delete phase 2 handler.
Jan 24 20:08:52    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.119.xx.xxx[500]->84.119.xx.xxx[500]
Jan 24 20:08:45    racoon: INFO: begin Aggressive mode

I take a look to the other side and here i can see the Problem. In "Diagnostics > IPSec > SPD" the
IP has not changed. It`s allways the same problem.

Maybe one of the developers can help me. Is it a bug with IPSec and dynamic hosts?

Here my actual configuration of two hosts ( the third one use NET-T )

Config Host 1:
<ipsec>
      <dns-interval>20</dns-interval>
         <tunnel>
         <dpddelay>30</dpddelay>
         <interface>wan</interface>
         <local-subnet>
            <network>lan</network>
         </local-subnet>
         <remote-subnet>192.168.xxx.0/24</remote-subnet>
         <remote-gateway>zzzzz.dyndns.org</remote-gateway>
         <p1>
            <mode>aggressive</mode>
            <myident>
               <fqdn>yyyyy.at</fqdn>
            </myident>
            <encryption-algorithm>aes</encryption-algorithm>
            <hash-algorithm>md5</hash-algorithm>
            <dhgroup>2</dhgroup>
            <lifetime>86400</lifetime>
            <pre-shared-key>0000000000</pre-shared-key>
            <private-key/>
            <cert/>
            <peercert/>
            <authentication_method>pre_shared_key</authentication_method>
         </p1>
         <p2>
            <protocol>esp</protocol>
            <encryption-algorithm-option>rijndael</encryption-algorithm-option>
            <hash-algorithm-option>hmac_md5</hash-algorithm-option>
            <pfsgroup>2</pfsgroup>
            <lifetime>43200</lifetime>
         </p2>
         <descr> </descr>
      </tunnel>
      <enable/>
   </ipsec>
   <aliases/>
   <proxyarp/>
   <wol/>
</m0n0wall>

Config Host 2:

                         <ipsec>
               <dns-interval>20</dns-interval>
                        <tunnel>
         <dpddelay>30</dpddelay>
         <interface>wan</interface>
         <local-subnet>
            <network>lan</network>
         </local-subnet>
         <remote-subnet>192.168.xxx.0/24</remote-subnet>
         <remote-gateway>AAAA.dyndns.org</remote-gateway>
         <p1>
            <mode>aggressive</mode>
            <myident>
               <fqdn>QQQQQ.at</fqdn>
            </myident>
            <encryption-algorithm>aes</encryption-algorithm>
            <hash-algorithm>md5</hash-algorithm>
            <dhgroup>2</dhgroup>
            <lifetime>86400</lifetime>
            <pre-shared-key>0000000000</pre-shared-key>
            <private-key/>
            <cert/>
            <peercert/>
            <authentication_method>pre_shared_key</authentication_method>
         </p1>
         <p2>
            <protocol>esp</protocol>
            <encryption-algorithm-option>rijndael</encryption-algorithm-option>
            <hash-algorithm-option>hmac_md5</hash-algorithm-option>
            <pfsgroup>2</pfsgroup>
            <lifetime>43200</lifetime>
         </p2>
         <descr> </descr>
      </tunnel>

regards
Günter


« Reply #6 on: January 24, 2010, 22:01:36 »
rpsmith ***
Posts: 113

here is a template I use for my tunnels:

<dpddelay>60</dpddelay>
<interface>wan</interface>
<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>10.1.1.0/24</remote-subnet>
<remote-gateway>1.2.3.4</remote-gateway>
<p1>
<mode>main</mode>
<myident>
<myaddress/>
</myident>
<encryption-algorithm>aes</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>172800</lifetime>
<pre-shared-key>a-really-long-password-goes-here</pre-shared-key>
<private-key/>
<cert/>
<peercert/>
<authentication_method>pre_shared_key</authentication_method>
</p1>
<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>86400</lifetime>
</p2>

you might give that a try.  Also, I have very few problems with static IPs on both ends.  Static to DHCP is not nearly as stable especially if your DHCP address changes often.

Roy...
« Last Edit: January 25, 2010, 20:19:23 by rpsmith »
« Reply #7 on: January 25, 2010, 21:46:49 »
guep *
Posts: 9

but this is one of my problem. One of my three locations once a day changes the IP.
the other one maybe once a week, sometimes several times.

I tried many differnet configuration types (also your one), but no one works really good.
In one case i had a stable connection for 5 days. But then the tunnel goes down (without IP change) and never comes up.
And sometimes i have few days without any problems. The connection comes after an IP-change automatically up.
Do not know why it works sometimes.

regards
Günter

« Reply #8 on: January 26, 2010, 01:11:15 »
rpsmith ***
Posts: 113

did you try my last config?  it has several parameters different than the one you posted.  also seems to help if you have PC on both ens of the tunnel pinging the remote m0n0wall's LAN IP.

Roy...
« Reply #9 on: January 26, 2010, 19:33:18 »
guep *
Posts: 9

yes i tried it too. but with one client i have the same problems as bevor. the second one is more stable

i can not use static IP for remote gateway. all sites uses dynamic IP.  in this case can not use "my IP adress" because the IP changes. aggressive-mode is one of the last i will try


regards
günter
« Reply #10 on: January 26, 2010, 19:48:48 »
rpsmith ***
Posts: 113

FYI: "my IP adress" does not require you to enter an actual IP address.  It simply means your current WAN IP.

Also, have you tried running a constant ping through the tunnel from both ends?

Roy...
« Last Edit: January 26, 2010, 19:52:05 by rpsmith »
« Reply #11 on: January 27, 2010, 12:43:27 »
guep *
Posts: 9

yes i tried to run a constant ping between two pc. but after the disconnect by the ISP the tunnel never comes up. i must press "save" in IP-Sec-tab on one m0n0wall.
then  the connection works till next ISP disconnect.

i tried all forms of types in “My identifier”-tab.
The documentation tells me to use "domain name" instead of "my ip adress" for
dynamic IP-adresses.

Günter
« Reply #12 on: January 27, 2010, 13:52:37 »
rpsmith ***
Posts: 113

are all 3 sites doing this?

why is the ISP disconnecting you?

do you have internet connectivity on both ends when the tunnel is dead?

are both ends DHCP?

have you tried using opendns (208.67.222.222 & 208.67.220.220) for your dns servers on the General tab?

Roy...
« Reply #13 on: January 27, 2010, 14:53:03 »
guep *
Posts: 9

yes all sites have the same problem. but one site has an other ISP and this ISP
disconnects the site  twice a day. Why? I don`t know. Maybe you can not use Servers on a private account.

Yes, both sites have connectivity and both sites have dynamic IP.

I will try open VPN. But i think my DNS from the ISP is also very fast up-to-date. ( if i ping xxx.dnydns.org after reconnect, i can see the new IP)

Günter
« Reply #14 on: January 27, 2010, 19:51:46 »
rpsmith ***
Posts: 113

well you might want to give pfSense a try.  if it has the same problem with IPsec, you can always try site to site OpenVPN.  it's not as easy to configure as IPsec but some folks like it better.

check out:  http://forum.pfsense.org/index.php?topic=20927.msg107808

and this link: http://forum.pfsense.org/index.php/topic,2228.0.html

also, check your PM.

One last thing you might try is to check the "Prefer old IPsec SAs" box on the "System: Advanced setup" page.  I'm not too hopeful that will help but it's probably worth a try.

Roy...
« Last Edit: January 28, 2010, 10:49:19 by rpsmith »
 
Pages: [1] 2
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines